Operation related to user equipment using secret identifier

ABSTRACT

A method performed by a network node (106) of a serving public land mobile network, PLMN, (112) associated with a user equipment, UE, (102) comprising: obtaining a secret identifier (110) that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation (108) related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

CROSS REFERENCE TO RELATED APPLICATION(S)

This application is a 35 U.S.C. § 371 National Stage of InternationalPatent Application No. PCT/EP2017/067527, filed Jul. 12, 2017,designating the United States and claiming priority to U.S. provisionalapplication No. 62/363,814, filed on Jul. 18, 2016. The above identifiedapplications are incorporated by reference.

TECHNICAL FIELD

The invention relates to methods wherein an identifier related to a userequipment (UE) is made available for a serving public land mobilenetwork (PLMN). The invention also relates to network nodes, a publicmobile land network, computer programs and computer program products.

BACKGROUND

In existing wireless network systems (e.g., 2G, 3G, 4G systems), certainoperations require that serving PLMNs (other than the home PLMN of theUE) to have access to a particular identifier of the UE, such as anInternational Mobile Subscriber Identity (IMSI). Knowledge of along-term identifier corresponding to the UE, however, allows thirdparties to compromise the privacy of the user, for example, bydetermining the location of the user based on the identifier. As aresult, this UE identifier is typically kept private and treated as asecret, and as such, is often only available to the UE, the home PLMN ofthe UE, and any other party or device to which access to the identityhas been granted by the home PLMN or UE. Though some existing networksutilize encryption methods and/or pseudonyms for UE identities tocommunicate an identifier of the UE between PLMNs and devices, thecommunicated identifier is not the secret, long-term identifier of theUE required by some serving PLMN operations.

Therefore, improved techniques for trusted communication of secret UEidentifiers are needed to ensure that required UE functionality ismaintained across PLMNs without exposing sensitive user information tountrusted parties.

General security-related discussions are ongoing within the 3^(rd)Generation Partnership Project for the Next Generation system. 3GPP TR33.899 V0.2.0 discusses threats, potential requirements and solutionsrelated to such a system. The document states that lawful interceptionand other local regulations must be taken into account when designingthe new system, but also that the exposure of a subscriber's identitymight lead to privacy incidents. No solution is provided to the complexproblem of enabling a serving PLMN to perform e.g. lawful interceptionwithout risking interception of the wrong subscriber, erroneouscharging, and unauthorized access to network resources.

SUMMARY

An object of one or more embodiments of the invention is to enableimproved trusted communication of a secret UE identifier across PLMNswithout exposing sensitive user information to untrusted parties.

One or more embodiments herein allow for communication of a secretidentifier of a UE from a home PLMN of the UE to a serving PLMN. Onceobtained by the serving PLMN, the secret identifier can be utilized bythe serving PLMN for performing an operation related to the UE. Herebyit is also achieved that network system complexity and security threatscan be reduced with respect to operations in a serving PLMN based on apseudonym identifier.

A first aspect of the invention relates to a method performed by anetwork node of a serving PLMN associated with a UE. In the method, thenetwork node obtains a secret identifier that uniquely identifies theUE. The secret identifier is a secret that is shared between the UE andat least a home PLMN of the UE and that is shared by the home PLMN withthe network node. The method also includes the network node performingan operation related to the UE using the secret identifier.

A second aspect of the invention relates to a method performed by anetwork node of a home PLMN associated with a UE. The network nodedetermines to reveal a secret identifier that uniquely identifies the UEto a serving PLMN of the UE. The secret identifier is a secret that isshared between the UE and at least the home PLMN. According to themethod, the network node of the home PLMN reveals the secret identifierto the serving PLMN. Revealing the secret identifier to the serving PLMNallows the serving PLMN to perform an operation related to the UE usingthe secret identifier.

A third aspect relates to a network node of a serving PLMN associatedwith a UE. The network node is configured to obtain a secret identifierthat uniquely identifies the UE, wherein the secret identifier is asecret that is shared between the UE and at least a home PLMN of the UEand that is shared by the home PLMN with the network node; and performan operation related to the UE using the secret identifier.

A fourth aspect relates to a network node of a home PLMN associated witha UE. This network node is configured to determine to reveal, to aserving PLMN of the UE, a secret identifier that uniquely identifies theUE, wherein the secret identifier is a secret that is shared between theUE and at least the home PLMN; and reveal the secret identifier to theserving PLMN, the secret identifier allowing the serving PLMN to performan operation related to the UE using the secret identifier.

A fifth aspect relates to a network node of a serving PLMN associatedwith a UE, the network node comprising a processor and a memory, thememory containing instructions executable by the processor whereby thenetwork node is configured to: obtain a secret identifier that uniquelyidentifies the UE, wherein the secret identifier is a secret that isshared between the UE and at least a home PLMN of the UE and that isshared by the home PLMN with the network node; and perform an operationrelated to the UE using the secret identifier.

A sixth aspect relates to a network node of a home PLMN associated witha UE, the network node comprising a processor and a memory, the memorycontaining instructions executable by the processor whereby the networknode is configured to: determine to reveal, to a serving PLMN of the UE,a secret identifier that uniquely identifies the UE, wherein the secretidentifier is a secret that is shared between the UE and at least thehome PLMN; and reveal the secret identifier to the serving PLMN, thesecret identifier allowing the serving PLMN to perform an operationrelated to the UE using the secret identifier.

A seventh aspect relates to a network node of a serving PLMN associatedwith a UE. The network node comprises: a first module configured toobtain a secret identifier that uniquely identifies the UE, wherein thesecret identifier is a secret that is shared between the UE and at leasta home PLMN of the UE and that is shared by the home PLMN with thenetwork node; and a second module to perform an operation related to theUE using the secret identifier.

An eighth aspect relates to a network node of a home PLMN associatedwith a UE. The network node comprises: a first module configured todetermine to reveal, to a serving PLMN of the UE, a secret identifierthat uniquely identifies the UE, wherein the secret identifier is asecret that is shared between the UE and at least the home PLMN; and asecond module configured to reveal the secret identifier to the servingPLMN, the secret identifier allowing the serving PLMN to perform anoperation related to the UE using the secret identifier.

A ninth aspect relates to a computer program comprising instructionswhich, when executed by at least one processor of a network node, causesthe network node to carry out any one of the above methods.

A tenth aspect relates to a carrier containing the computer program,wherein the carrier is one of an electric signal, optical signal, radiosignal, or computer readable storage medium.

An eleventh aspect relates to a method performed by a serving PLMNassociated with a UE. The method comprises the steps of receiving, froma home PLMN of the UE after the UE has been successfully authenticatedby the home PLMN or the serving PLMN, a secret identifier that uniquelyidentifies the UE, wherein the secret identifier is a secret previouslyshared between the UE and a home PLMN of the UE; and performing anoperation related to the UE.

A twelfth aspect relates to a method performed by a home PLMN associatedwith a UE. The method comprises the steps of determining to reveal, to aserving PLMN of the UE, a secret identifier that uniquely identifies theUE, wherein the secret identifier is a secret that is shared between theUE and the home PLMN; revealing the secret identifier to the servingPLMN after the UE has been successfully authenticated by the home PLMNor the serving PLMN, the secret identifier allowing the serving PLMN toperform an operation related to the UE.

A thirteenth aspect relates to a serving PLMN associated with a UE. Theserving PLMN here comprises at least two network nodes, wherein a firstnetwork node is configured to receive, from a home PLMN of the UE afterthe UE has been successfully authenticated by the home PLMN or theserving PLMN, a secret identifier that uniquely identifies the UE,wherein the secret identifier is a secret that was shared between the UEand the home PLMN. A second network node is in this serving PLMNconfigured to perform an operation related to the UE using the secretidentifier.

The secret identifier may in one or more embodiments of the aspectsmentioned above be an unencrypted long-term identifier, e.g. IMSI.

The UE may in one or more embodiments of the aspects mentioned above beauthenticated by the serving PLMN. In such embodiments, the secretidentifier may be sent from the home PLMN in an update-location-answermessage from the home PLMN.

The operation may in one or more embodiments of the aspects mentionedabove be lawful interception or charging control related to the UE.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a communication network corresponding to exampleembodiments of the invention.

FIG. 2 illustrates a method performed by a network node of a servingPLMN according to one or more embodiments.

FIG. 3 illustrates a method performed by a network node of a home PLMNaccording to one or more embodiments.

FIG. 4 illustrates a process and signal flow implemented in exampleembodiments of the invention.

FIG. 5 illustrates a process and signal flow implemented in exampleembodiments of the present invention.

FIG. 6 illustrates a process and signal flow implemented in exampleembodiments of the present invention.

FIG. 7 illustrates aspects of an example network node of a serving PLMNin example embodiments of the invention.

FIG. 8 illustrates aspects of an example network node of a home PLMN inexample embodiments of the invention.

FIG. 9 illustrates an embodiment of a serving PLMN.

DETAILED DESCRIPTION

FIG. 1 illustrates a communication system 100 that includes a home PLMN114 for a UE 102 and a serving PLMN 112 that provides network access andservices to the UE 102. As shown in FIG. 1, the serving PLMN 112includes a network node 106 (among a plurality of network devices thatare not explicitly shown), which is configured to perform at least anoperation 108 related to the UE 102 (other UE-related operationsperformed may exist but are not shown). In some examples, a secretidentifier 110 of the UE 102 must be available to the network node 106(or to the serving PLMN 112, generally) in order for the operation 108to be performed. By default, however, this secret identifier 110 may bekept as a secret between the home PLMN 114 and the UE 102 (andpotentially other devices and/or networks to which the secret identifier110 has been revealed previously). As such, in at least some examples,the serving PLMN 112 may be required to obtain the secret identifier 110as a prerequisite to performing the operation 108. The UE may be forexample a mobile phone, a laptop a tablet and an embedded device in e.g.white goods (such as refrigerator) or a vehicle (such as an infotainmentsystem in the dashboard of a car or truck). The network node 106 may forexample be an Access and Mobility Management Function (AMF), SecurityAnchor Function (SEAF), Security Context Management Function (SCMF),Session management Function (SMF) and Policy Control Function (PCF).

In a feature of the invention, the network node 106 of the serving PLMN112 obtains the secret identifier 110 of the UE 102, for example, viaone or more messages 101 sent by a network node 116 (or any otherpermitted device) of the home PLMN 114. By revealing this secretidentifier 110 to the serving PLMN 112, the home PLMN 114 allows thenetwork node 106 of the serving PLMN 112 to perform the operation 108.Other features of the operation, structure, and features of thecommunication system 100 and the devices and networks therein shown inFIG. 1 will be introduced and explained below with reference to theremaining figures. The network node 116 may for example be anAuthentication Server Function (AUSF), Authentication CredentialRepository and Processing Function (ARPF), Unified Data Management(UDM), AAA-server (Authentication, Authorization and Accounting server),Structured Data Storage Function (SDSF), and Unstructured Data StorageFunction (UDSF).

Before proceeding with further detailed description of the exampleembodiments, it should be noted that any disclosure that refers to aparticular PLMN can be understood as also referring to the network nodeassociated with the particular PLMN. Likewise, any disclosure thatrefers to a particular network node can be understood as also referringto the PLMN associated with the particular network node. For instance,any feature that is disclosed as corresponding to or being performed byhome PLMN 114 should likewise be understood as optionally correspondingto or being performed by network node 116 of FIG. 1. Similarly, anyfeature that is disclosed as corresponding to or being performed byserving PLMN 112 should likewise be understood as optionallycorresponding to or being performed by network node 106 of FIG. 1. Withthat said, any two or more features or functionalities described asbeing performed by a PLMN should not be read as necessarily beingassociated with or performed by the exact same device in the PLMN.Instead, any two or more features that are disclosed as being performedby or associated with a particular PLMN, or disclosed as being performedby or associated with a network node of a particular PLMN should be readas optionally being associated with or performed by different examplenetwork nodes of the PLMN. An example of this would be an apparatuscomprising two network nodes of the serving PLMN, where a first networknode receives the secret identifier 110 from the home PLMN and thenenables, through the knowledge of the secret identifier 110, a secondnetwork node to perform an operation related to the UE 102.

In an example of this directive, if the present disclosure states that“the serving PLMN 112 stores the public identifier in its memory,” itshould also be understood to likewise disclose that “the network node106 stores the public identifier in the memory of the network node 106or in any other network node or device of the serving PLMN 112 thatcontains memory upon which the public identifier may be stored.”Furthermore, if the disclosure additionally states that “the servingPLMN 112 compares a public identifier to an encrypted secretidentifier,” it should be understood to likewise disclose that “acomparison of the public identifier and an encrypted secret identifiermay be performed at the same network node 106 that stored the publicidentifier above, or at any other network node (other than theparticular network node at which the public identifier was stored inmemory) of the serving PLMN that can be understood as performing such acomparison.” In other words, the home and serving PLMNs should beunderstood as optionally comprising a plurality of network nodes, one ormore of which can perform the disclosed functions or features attributedto the PLMN or to a network node thereof.

FIG. 2 illustrates an example method 200 performed by the network node106 of the serving PLMN 112 for performing the operation 108 thatrequires knowledge of (or access to) the secret identifier 110 of the UE102 served by the serving PLMN 112. In some examples, the requiredsecret identifier 110 may identify the UE itself, although it mayadditionally or alternatively be associated with a particular user orsubscriber account corresponding to the UE, where the subscriber accountmay have particular authentication credentials, charging account orrecords, tokening and access policies, service parameters including QoSor subscriber level for one or more services, or the like, each of whichmay be established and/or maintained at the home PLMN 114 of the UE 102.Accordingly, for purposes of the present disclosure, the term userequipment refers to not only a particular device, but may also refer toa subscriber or user having an associated home PLMN. In other words, asecret identifier 110 in the form of an International Mobile SubscriberIdentity (IMSI) that uniquely identifies the UE 102 can analogously besaid to uniquely identify a subscriber/user to the home PLMN 114 ratherthan the UE, since the IMSI typically is stored in a UniversalIntegrated Circuit Card (UICC)/Subscriber Identity Module (SIM) cardconnected to a Mobile Equipment (ME) to form the UE, and the SIM cardcan be switched to another ME. As such, uniquely identifying the UE 102would mean that the IMSI is associated with a certain subscriber of thehome PLMN in a database comprised or connected to the home PLMN. It isof cause also known to the skilled person that the IMSI in some systems,such as in at least some current 4G systems, actually is used toidentify the UE itself and not only the subscriber.

The words “unique” and “uniquely” shall of course be seen in its contextof this invention. From a philosophical point of view, it can perhapsnot ever be guaranteed that e.g. a certain number, such as a binarynumber, being unique in one database or in a cluster of databasesrelated to e.g. a home PLMN, cannot be found somewhere else, such as ina completely different computer network or in a private list, for acompletely different subscriber or UE.

Additionally, the secret identifier 110 may be a “long-term” identifier,which, for purposes of the present application, corresponds to a staticset of alphanumeric characters (or corresponding digital bit values)that are established based on a premise, understanding, and intent thatit is to remain unchanged, absent extenuating circumstances that requirean alteration, for entirety of the subscription's effective duration.The secret identifier 110 may be a long-term identifier such as, but notlimited to, IMSI and/or one or more of the values that make up the IMSI,such as the mobile subscription identification number (MSIN), mobilenetwork code (MNC), and/or mobile country code (MCC). Alternatively oradditionally, the secret identifier 110 may comprise long-termidentifier such as an International Mobile Equipment Identity (IMEI),Internet Protocol (IP) address, or the like, or a shorter-termidentifier, such as a Globally Unique Temporary Identity (GUTI), CellRadio Network Temporary Identity (C-RNTI), or any similar knownidentifier that is kept private or can be made private or otherwise canbe kept as a secret between a limited set of devices. With respect to anIP address as a long-term identifier, a static IP address is clearlysuch an example, but in dependence on use case also an IP addressassigned by a Dynamic Host Configuration Protocol server may be along-term identifier. In other circumstances a dynamically assigned IPaddress is deemed as a short-term identifier. A long-term identifier asunderstood by a person skilled in the art does not necessarily have tobe a permanent identifier. A permanent/long-term identifier is sometimesin 5^(th) generation (5G) discussions called Subscriber PermanentIdentifier (SUPI).

Returning to method 200, at block 202, the network node 106 obtains asecret identifier 110 that uniquely identifies the UE. As discussedabove, the secret identifier 110 is a secret (i.e., is privately-held bya limited, discrete set of networks and devices) that is shared betweenthe UE and at least a home PLMN of the UE and is sent by the home PLMNto the network node 106.

Furthermore, at block 204 of method 200, the network node 106 performsthe operation 108 related to the UE 102, and uses the obtained secretidentifier 110 to do so. Although not all operations UE-relatedoperations performed by a network node or a serving PLMN require thatthe secret identifier 110 be known, some operations (including somerequired by law) do require (or can optionally utilize) the secretidentifier 110 before execution. For instance, the operation 108 may bean operation related to a lawful interception of the UE. A serving PLMNwhich knows the secret identifier 110 of the UE 102 can thereforesupport lawful interception without a home PLMN's assistance orvisibility. In other examples, the operation 108 may be economic ormarketing in nature, such as an operation for recognizing one or moreUEs that have previously been served by a particular PLMN and providingone or more incentives for these UEs to connect to the serving PLMN (or,if an optional reselection or handover is imminent, incentive to remainconnected to the serving PLMN). In still other examples, the operationmay be related to certain UE-specific operational service parameters orguarantees, such as setting or modifying one or more Quality of Serviceparameters associated with a UE (or user/subscriber). The operationcould alternatively be related to policy and/or charging controlassociated with the UE 102. Although these few examples provide alimited picture of some example operations that may utilize a secretidentifier 110 of a UE or network subscriber, the feature of obtaining asecret identifier by a serving PLMN or revealing the secret identifierby a home PLMN can be extended to any operation or process that may beapplied at a single-UE granularity.

In addition to the features of blocks 202 and 204, method 200 mayinclude additional or alternative aspects that are not explicitly shownin FIG. 2. For example, the network node 106 of serving PLMN 112 mayreceive, from the UE, a public identifier (i.e., non-secret orunencrypted identifier associated with the UE) and/or a pseudonymcorresponding to the UE. After receiving the public identifier and/orpseudonym, the network node 106 may forward the public identifier and/orpseudonym to the home PLMN 114 of the UE. The public identifier and/orpseudonym sent to the home PLMN may serve as an implicit request for thehome PLMN 114 to reveal the secret identifier 110 to the serving PLMN112 (e.g., to the network node 106), or the network node 106 maygenerate and send an explicit request for the secret identifier 110 tothe home PLMN 114 along with the forwarded public identifier and/orpseudonym. As such, obtaining the secret identifier at block 202 may bein response to the forwarding of the public identifier and/or pseudonymcorresponding to the UE 102.

As will be discussed further below, the network nodes of the servingPLMN and/or the home PLMN 114 may perform authentication to help ensurethat the secret identifier 110 is not revealed in response to amalicious request by a third-party that is not authorized to obtain thesecret identifier 110. As such, in some examples, the network node 106may receive the secret identifier 110 only after the UE has beensuccessfully authenticated by the home PLMN (and/or the serving PLMN,see below). Therefore, if authentication is unsuccessful at the homePLMN, the home PLMN 114 may inform the serving PLMN that authenticationfailed (e.g., via a failure message) or may simply not reveal the secretidentifier to the serving PLMN, which can serve as an implicitindication of authentication failure in some examples. However, when thesecret identifier 101 is sent to the serving PLMN by the home PLMN (forinstance, after home PLMN UE authentication or confirmation of servingPLMN authentication success, in some examples) it may be communicatedvia an Extensible Authentication Protocol (EAP) message from the homePLMN 114 to the serving PLMN 112.

As introduced above, authentication of the UE 102 may also be performedby network nodes 106 of the serving PLMN 112. To perform thisauthentication, a network node 106 may require a public identifierand/or pseudonym of the UE 102 (for identification of the UE targetedfor authentication) and authentication information that contains rulesand/or processes necessary to perform the authentication procedure atthe network node 106. Therefore, method 200 may include, in someexamples, obtaining a public identifier and/or pseudonym of the UE 102from the UE itself (or from another device that possesses thisinformation) and receiving the authentication information from the homePLMN 114 (e.g., from network node 116). In an aspect, the authenticationinformation is communicated by the home PLMN to the serving PLMN in oneor more messages that are formed in an Evolved PacketSystem-Authentication and Key Agreement (EPS-AKA) format andcommunicated via an authentication vector that is contained in the oneor more communicated messages.

Once the public identifier and/or pseudonym and the authenticationinformation have been obtained/received by the network node 106 or bythe serving PLMN 112, generally, the network node 106 performsauthentication operations to determine whether the UE is authenticated(i.e., that the UE 102 is truly a subscriber of home PLMN 114 orotherwise permitted to prompt the home PLMN 114 to reveal the secretidentifier 110 to the serving PLMN 112). If the authenticationoperations are successful (e.g., the operations determine that the UE102 (or a request therefrom) is authentic (i.e., that the UE 102 is averified subscriber to home PLMN 114)), network node 106 may communicatean authentication success message to the home PLMN to inform the homePLMN that the UE has been successfully authenticated by the servingPLMN. In addition, when received and processed at the home PLMN 114, theauthentication success message can trigger the home PLMN to send thesecret identifier 110 to the serving PLMN.

In the above-described example, the serving PLMN 112 receives the secretidentifier 110 from the home PLMN after the UE 102 has beenauthenticated by the serving PLMN or by the home PLMN. In theseembodiments, the network node 106 may receive the secret identifier fromthe home PLMN via an authentication-information-answer (AIA) message(e.g., according to the Diameter authentication, authorization, andaccounting (AAA) protocol) generated and sent from the home PLMN afterauthentication of the UE 102 has succeeded. Although performingauthentication before the home PLMN sends the secret identifier 110 tothe serving PLMN can provide an added level of security for the method200, it is not a requirement for all embodiments. Accordingly, in someembodiments, the serving PLMN (e.g., via network node 106) may receivethe secret identifier 110 from the home PLMN 114 before the UE 102 isauthenticated by the serving PLMN 112 or the home PLMN 112. In thesealternative embodiments, the secret identifier may be sent via anupdate-location-answer (ULA) message (e.g., according to the Diameterauthentication, authorization, and accounting (AAA) protocol) generatedand sent from the home PLMN before authentication of the UE 102 hassucceeded at either of the serving or home PLMNs.

In an additional aspect of some embodiments of method 200, as a furthersecurity measure to avoid unauthorized dissemination of the secretidentifier 110 and to check that the secret identifier sent by the homePLMN is genuine, the serving PLMN 112 (e.g., via network node 106) mayverify that a public identifier and the obtained secret identifier 101correspond to the same UE. Although this verification procedure ismainly described by the present disclosure as being performed by thenetwork node 106 (or by the serving PLMN 112, generally), this is not alimiting feature. Instead, the verification can alternatively oradditionally be performed in the home PLMN 114 and/or by another deviceor network that is not shown in FIG. 1 (e.g., a dedicated securitysystem or AAA service, for example).

When performed at the serving PLMN 112, however, the verificationprocedure may extend the above-described group of features that can beperformed by the network node 106 in executing method 200. For instance,using an asymmetric encryption scheme based on a public key of the homePLMN, which public key is known to both the UE and the home PLMN, may inone embodiment of the verification be as follows. The verificationincludes the network node 106 obtaining encryption information forencrypting the secret identifier 110, for example, from the home PLMN114. This encryption information includes the public key of the homePLMN 114 that can be used to encrypt the secret identifier 110 into apublic, encrypted identifier of the UE. As mentioned above, this publicidentifier may be initially obtained by the network node 106 (or theserving PLMN 112, generally) from UE 102, i.e. the UE may previouslyhave generated the public identifier by encrypting its IMSI with thepublic key of the home PLMN and send this public identifier (i.e. theIMSI encrypted with the public key of the home PLMN) to the network node106. Once obtained by the network node 106, the encryption informationcan be utilized by the network node 106 to generate an encrypted secretidentifier by encrypting the obtained secret identifier 110 with thepublic key of the home PLMN. The network node 106 may now proceed bycomparing the resulting encrypted secret identifier and the previouslyreceived (and stored) public identifier received from the UE. Thiscomparison may result in a determination by the network node 106 thatthe encrypted secret identifier and the public identifier match. Such amatch may indicate that the verification has succeeded. In an aspect,the criteria that define a “match” may be preconfigured by the user orby the home PLMN or serving PLMN. These criteria for determining that amatch exists may be tailored to a desired level of precision, fromrequiring an exact bit-level match or by defining a percentage, ratio,or raw number of matching bits that meets a predefined verificationthreshold criterion). Regardless of the particular implemented criteriafor defining verification success, if the criteria are met, the networknode 106 can verify that the public identifier and the secret identifiercorrespond to the same UE based on determining that the encrypted secretidentifier and the public identifier match. As a result, requests fromunauthorized UEs having a public identifier that does not “match” therevealed secret identifier 110 can be effectively discovered andremedied to limit the dissemination of the secret identifier 110 tounauthorized parties. In other words, an operation such as lawfulinterception becomes more reliable by determining that the UE and thehome PLMN are not cheating the serving PLMN.

In a first alternative embodiment of the verification, an Elliptic CurveIntegrated Encryption Scheme (ECIES) is used. Similarly to theembodiment described above, the home PLMN's public key is known to theUE 102 and the home PLMN 114, but here the UE 102 also has its own pairof public and private keys (i.e. of the UE 102). The UE 102 generates afirst symmetric encryption key based on its own private key and thepublic key of the home PLMN 114. The public identifier is then generatedby the UE 102 by encrypting the secret identifier (e.g. IMSI) with thefirst symmetric encryption key. The public identifier and the public keyof the UE 102 is sent to the serving PLMN 112, which receives them andalso forwards them to the home PLMN 114. Then, in addition to sendingthe secret identifier to the serving PLMN, the home PLMN also producesand sends the encryption information in the form of a second symmetricencryption key, which is produced by the home PLMN using the private keyof the home PLMN and the received public key of the UE 102. Serving PLMN112 may now encrypt the secret identifier received from the home PLMN114 with the second symmetric encryption key, and then perform theverification by comparing the encrypted secret identifier with thepublic identifier. A match is enabled due to the fact that the secondsymmetric key is the same as the first symmetric key due tocryptographic properties provided by key exchange algorithms such asDiffie-Hellman.

A second alternative embodiment of the verification is similar to thefirst alternative embodiment, but instead of encrypting the receivedsecret identifier with the second symmetric encryption key, the servingHPLMN decrypts the public identifier with the second symmetricencryption key and compares the decrypted public identifier with thesecret identifier. FIG. 3 illustrates an example method 300 performed bya network node 116 of a home PLMN 114 for revealing, to a disparateserving PLMN 112, a secret identifier 110 of a UE 102 that is served bythe serving PLMN 112. According to example method 300, at block 302, thenetwork node 116 determines to reveal, to the serving PLMN 112 of the UE102, a secret identifier 110 that uniquely identifies the UE 102. Asdescribed above, this secret identifier 110 is a secret that is sharedbetween the UE 102 and at least the home PLMN 114. In addition, examplemethod 300 includes the network node 116 revealing the secret identifierto the serving PLMN. In some non-limiting examples, revealing the secretidentifier to the serving PLMN can include sending an EAP message to theserving PLMN that includes the secret identifier 110. Regardless of theparticular message format utilized to send the secret identifier 110 tothe serving PLMN 112, the serving PLMN 112 can perform an operation 108related to the UE 102 using the revealed secret identifier 110.

Although not explicitly shown in FIG. 3, method 300 can optionallyinclude further aspects, some of which have been introduced above inreference to the method 200 performed on the serving PLMN 112 side. Forexample, the network node 116 can perform authentication of the UE 102as an optional additional aspect of method 300. When authentication isdone at the home PLMN, it is guaranteed that the UE is present at theserving PLMN. In performing this authentication, the network node 116can, for example, receiving a public identifier and/or pseudonym of theUE 102, which may be forwarded to the home PLMN 114 by the serving PLMN(for instance, in an explicit or implicit request for the home PLMN 114to reveal the secret identifier 110 and/or to verify the UE 102) orwhich may be saved in the home PLMN from a previous authentication, forexample. Upon executing the authentication procedure, the network node116 can determine that the UE 102 has been successfully authenticatedbased on the public identifier and/or pseudonym. In someimplementations, a determination by the network node 116 to reveal thesecret identifier to the serving PLMN 112 requires successfulauthentication of the UE 102. However, in some examples, such priorauthentication success is not necessary for revealing the secretidentifier 110 to a particular serving PLMN 112, despite the associatedincreased risk of dissemination of the secret identifier 110 tounauthorized parties.

In certain embodiments wherein the serving PLMN performs theauthentication procedure, the home PLMN 114 can communicateauthentication information to the serving PLMN 112, which is utilized bythe serving PLMN 112 (e.g., at network node 106) to perform independentauthentication of the UE 102. The authentication information can beformed in an EPS-AKA format and may be communicated to the serving PLMN112 via an authentication vector. In addition, in some examples, thenetwork node 116 may receive an authentication success message from theserving PLMN 112 that informs the home PLMN 114 that the UE 102 has beensuccessfully authenticated by the serving PLMN 112. Receiving theauthentication success message can trigger the home PLMN 114 to revealthe secret identifier to the serving PLMN 112 in some instances.Revealing the secret identifier 110 may include the network node 116sending the secret identifier 110 to the serving PLMN via an ULAmessage. In other example implementations, however, prior UEauthentication is not mandated, and as such, the network node 116 canoptionally reveal the secret identifier 110 by sending it to the servingPLMN 112 before the UE is authenticated (e.g. by the serving PLMN or thehome PLMN 114). In these examples, the network node 116 can send thesecret identifier 110 to the serving PLMN 112 after the UE 102 isauthenticated by the serving PLMN (e.g., via an AIA message). Whenauthentication is done at the serving PLMN, it is perhaps not guaranteedthat the UE is present in the serving PLMN, but the serving PLMN canstill be held accountable.

FIGS. 4, 5, and 6 present different example process and signal flows fordifferent example embodiments for revealing the secret identifier 110 ofthe UE 102 to a serving PLMN 112 of the UE 102. The example embodimentsillustrated in FIGS. 4, 5, and 6 are by no means intended to be anexclusive set of all possible embodiments. Instead, these illustratedexample embodiments represent a subset of possible embodiments that arecontemplated by the present disclosure.

Turning to these illustrated example embodiments, FIG. 4 illustrates anexample implementation whereby authentication of the UE 102 is requiredbefore revealing the secret identifier 110 to the serving PLMN 112 andwhere the authentication is performed at the home PLMN using a public(i.e. non-secret) identifier (such as a pseudonym or an encryptedlong-term identifier of the UE 102). As shown in FIG. 4, the servingPLMN may initiate the process by determining a need to perform anoperation related to the UE for which the private identifier of the UEis a prerequisite to execution. Based on this determination, the servingPLMN 112 sends a request to the UE 102 for the public identifier of theUE (if not already known by the serving PLMN, in some examples). Inresponse to the request, the UE 102 sends this public identifier to theserving PLMN 112, and after receiving the public identifier, the servingPLMN 112 forwards the public identifier to the home PLMN 114. Byforwarding the public identifier to the home PLMN 114, the serving PLMN112 can implicitly indicate to the home PLMN 114 that the serving PLMN112 requests that the home PLMN 114 reveal the secret identifier 110 ofthe UE 112. In alternative examples, the serving PLMN 112 may send aseparate, explicit request to the home PLMN 114 for the home PLMN 114 toreveal the secret identifier 110 of the UE 112.

In the example embodiment of FIG. 4, after receiving the publicidentifier, the home PLMN 114 performs authentication operations, anddetermines that the authentication is successful. This successfulauthentication indicates that the UE 102 is actually present in (e.g.,is currently being served by) serving PLMN 112. Based on this successfulauthentication, the home PLMN 114 makes a determination to reveal thesecret identifier of the UE 102 to the serving PLMN 112 and proceedswith revealing the secret identifier to the serving PLMN 112. This canbe accomplished by sending the secret identifier in a dedicated messageor by piggy-backing the secret identifier data onto scheduled or queued(and/or future) messages to be sent to the serving PLMN. After receivingthe secret identifier, the serving PLMN 112 performs the operationrelated to the UE.

FIG. 5 illustrates another example implementation whereby the UEverification procedure is performed by the serving PLMN 112. Again inthe example embodiment of FIG. 5, authentication of the UE 102 isrequired before revealing the secret identifier 110 to the serving PLMN112 and where the authentication is performed at the home PLMN using apublic identifier. To ensure readability, the initial steps ofdetermining a need to perform a UE-related operation, requesting thepublic identifier from the UE, and the serving PLMN performing theoperation are not shown in FIG. 5, though these features are optionallyincluded in this example implementation.

As shown, once the requested public identifier (e.g. the IMSI of the UE102 encrypted with the public key of the home PLMN 114) is returned bythe UE 102, the serving PLMN stores the public identifier in memory(e.g., in memory of one or more network nodes) and then forwards thepublic identifier to the home PLMN 114, which again triggers the homePLMN 114 to perform authentication. As the authentication is successful,the home PLMN 114 determines to reveal the secret identifier to theserving PLMN 112. Furthermore, the home PLMN 114 may send encryptioninformation to the serving PLMN 112 along with the secret identifier, asthe encryption information is private (i.e. a secret that may be keptonly by the home PLMN 114 and any other devices to which the home PLMN114 allows encryption information access). The encryption informationmay include a public key associated with the home PLMN 114. Inalternative implementations, the encryption information may be sentbefore (or after) the home PLMN 114 sends the secret identifier, and inother examples where the encryption information was previously obtainedby the serving PLMN 112 during a separate process iteration, may not besent at all for subsequent process iterations.

Upon receiving the secret identifier and the encryption information fromthe home PLMN 114, the serving PLMN 112 performs a verificationoperation, which can help ensure that the public identifier does notcorrespond to a different UE than the UE 102 to which the revealedsecret identifier corresponds. As explained in reference to earlierfigures, this verification can involve several steps, which may includeutilizing the encryption information to generate an encrypted version ofthe secret identifier. Once the encrypted secret identifier isgenerated, the serving PLMN may compare it to the stored publicidentifier. If the comparison reveals that the public identifier and theencrypted secret identifier match (e.g. meet certain static or alterablecriteria defining a match), the verification procedure may be successfulin determining that the public identifier and the secret identifiercorrespond to a single UE that is an authenticated subscriber of thehome PLMN 114. Again, though not explicitly shown in FIG. 5, the servingPLMN may perform the operation related to the UE after verification.

FIG. 6 illustrates another example implementation whereby the UEauthentication procedure is performed by the serving PLMN 112. Also, theserving PLMN 112 of FIG. 6 performs the UE verification procedure thatis outlined above with respect to FIG. 5. Unlike the embodiments ofproceeding in FIGS. 4 and 5, in the example embodiment of FIG. 6,authentication of the UE 102 is optional before revealing the secretidentifier 110 to the serving PLMN 112. As such, the home PLMN 114 mayreveal the secret identifier to the serving PLMN 112 before anyauthentication of the UE is performed (here, before authentication isperformed at the serving PLMN 112). Alternatively, the home PLMN 114 maybe configured to require confirmation from the serving PLMN 112 that theUE has been successfully authenticated before making a determination tosend the secret identifier to the serving PLMN 112. Both of theseoptions are illustrated in the process and signal flow of FIG. 6, andthe signals associated with these options are indicated as optional(because the “other” option may be implemented in every case) by dashedsignal lines.

To again ensure readability, the initial steps of determining a need toperform a UE-related operation, requesting the public identifier fromthe UE, and the serving PLMN performing the operation are not shown inFIG. 6, though these features are optionally included in this exampleimplementation.

As illustrated at the top of the process and signal flow of FIG. 6, oncethe requested public identifier is sent to the serving PLMN 112 by theUE 102, the serving PLMN 112 stores the public identifier in memory(e.g., in memory of one or more network nodes) and then forwards thepublic identifier to the home PLMN 114. Rather than triggeringauthentication by the home PLMN 114 as in FIGS. 4 and 5, however,receiving the public identifier triggers the home PLMN 114 to sendauthentication information necessary for UE authentication to theserving PLMN 112. Furthermore, as mentioned above, the home PLMN 114 mayoptionally send the secret identifier before the authentication isperformed by the serving PLMN 112 (in one option where authentication orconfirmation thereof is not required by the home PLMN 114 beforerevealing the secret identifier). This is represented by the topmostdashed signal line of FIG. 6.

Upon receiving the authentication information, the serving PLMN 112 mayperform the UE authentication procedure. If the authentication fails,the process can be terminated and an indication of such failure mayoptionally be sent to the home PLMN 114 (not shown). However, if theauthentication is successful and the home PLMN 114 requires confirmationof successful UE authentication before revealing the secret identifier,the serving PLMN generates and sends an authentication confirmationmessage to the home PLMN 114. In response to receiving theauthentication confirmation message, the home PLMN 114 determines toreveal the secret identifier to the serving PLMN 112.

Furthermore, as was previously shown in reference to FIG. 5, the homePLMN 114 may send encryption information to the serving PLMN 112 alongwith the secret identifier, which causes the serving PLMN 112 to performthe steps of the verification operation to determine that the publicidentifier and the secret identifier correspond to a single UE that isan authenticated subscriber of the home PLMN 114. Again, though notexplicitly shown in FIG. 5, the serving PLMN may perform the operationrelated to the UE after verification.

FIG. 7 illustrates additional details of an example network node 106 ofa serving PLMN 112 according to one or more embodiments. The networknode 106 is configured, e.g., via functional means or units (also may bereferred to as modules or components herein), to implement processing toperform certain aspects described above in reference to FIGS. 2 and 4-6.The network node 106 in some embodiments for example includes anobtaining means or unit 750 for obtaining a secret identifier of a UE,an operation performing means or unit 760 for performing one or moreoperations requiring the secret identifier of a particular UE, anauthentication means or unit 770 for performing UE authenticationprocessing, and/or a verifying means or unit 780 for performingverification procedures associated with a particular UE. These andpotentially other functional means or units (not shown) together performthe aspects of method 200 presented in FIG. 2 and/or features describedin FIGS. 4-6 as being related to the serving PLMN 112 and/or networknode 106.

In at least some embodiments, the network node 106 comprises one or moreprocessing circuits 720 configured to implement processing of the method200 of FIG. 2 and certain associated processing of the featuresdescribed in relation to FIGS. 4-6, such as by implementing functionalmeans or units above. In one embodiment, for example, the processingcircuit(s) 720 implements functional means or units as respectivecircuits. The functional units may thus be implemented with purehardware, like ASICs or FPGAs. In another embodiment, the circuits inthis regard may comprise circuits dedicated to performing certainfunctional processing and/or one or more microprocessors in conjunctionwith a computer program product in the form of a memory 730. Inembodiments that employ memory 730, which may comprise one or severaltypes of memory such as read-only memory (ROM), random-access memory,cache memory, flash memory devices, optical storage devices, etc., thememory 730 stores program code that, when executed by the one or moremicroprocessors carries out the techniques described herein.

In one or more embodiments, the network node 106 also comprises one ormore communication interfaces 710. The one or more communicationinterfaces 710 include various components (e.g., antennas 740) forsending and receiving data and control signals. More particularly, theinterface(s) 710 include a transmitter that is configured to use knownsignal processing techniques, typically according to one or morestandards, and is configured to condition a signal for transmission(e.g., over the air via one or more antennas 740). Similarly, theinterface(s) include a receiver that is configured to convert signalsreceived (e.g., via the antenna(s) 740) into digital samples forprocessing by the one or more processing circuits. In an aspect, theobtaining module or unit 750 may comprise or may be in communicationwith the receiver. The transmitter and/or receiver may also include oneor more antennas 740.

Those skilled in the art will also appreciate that embodiments hereinfurther include corresponding computer programs. A computer program 790comprises instructions which, when executed on at least one processor ofthe network node 106, cause the network node 106 to carry out any of therespective processing described above. Furthermore, the processing orfunctionality of network node 106 may be considered as being performedby a single instance or device or may be divided across a plurality ofinstances of network node 106 that may be present in a given servingPLMN such that together the device instances perform all disclosedfunctionality. In addition, network node 106 may be any known type ofdevice associated with a PLMN that is known to perform a given disclosedprocess or function. Examples of such network nodes 106 include eNBs,Mobility Management Entities (MMEs), gateways, servers, and the like. Inother words, the network node 106 may be a node residing in a corenetwork part or an access network part of the serving PLMN.

FIG. 8 illustrates additional details of an example network node 116 ofa home PLMN 114 according to one or more embodiments. The network node116 is configured, e.g., via functional means or units (also may bereferred to as modules or components herein), to implement processing toperform certain aspects described above in reference to FIGS. 2 and 4-6.The network node 116 in some embodiments for example includes adetermining means or unit 850 for determining whether to reveal a secretidentifier of a UE, a revealing means or unit 860 for revealing thesecret identifier, and an authentication means or unit 870 forperforming authentication of UEs. These and potentially other functionalmeans or units (not shown) together perform the aspects of method 300presented in FIG. 3 and/or features described in FIGS. 4-6 as beingrelated to the home PLMN 114 and/or network node 116.

In at least some embodiments, the network node 116 comprises one or moreprocessing circuits 820 configured to implement processing of the method200 of FIG. 3 and certain associated processing of the featuresdescribed in relation home PLMN 114 and/or network node 116 to FIGS.4-6, such as by implementing functional means or units above. In oneembodiment, for example, the processing circuit(s) 820 implementsfunctional means or units as respective circuits. The functional unitsmay thus be implemented with pure hardware, like ASICs or FPGAs. Inanother embodiment, the circuits in this regard may comprise circuitsdedicated to performing certain functional processing and/or one or moremicroprocessors in conjunction with a computer program product in theform of a memory 830. In embodiments that employ memory 830, which maycomprise one or several types of memory such as read-only memory (ROM),random-access memory, cache memory, flash memory devices, opticalstorage devices, etc., the memory 830 stores program code that, whenexecuted by the one or more microprocessors, carries out the techniquesdescribed herein.

In one or more embodiments, the network node 116 also comprises one ormore communication interfaces 810. The one or more communicationinterfaces 810 include various components (e.g., antennas 840) forsending and receiving data and control signals. More particularly, theinterface(s) 810 include a transmitter that is configured to use knownsignal processing techniques, typically according to one or morestandards, and is configured to condition a signal for transmission(e.g., over the air via one or more antennas 840). In an aspect, therevealing module or unit 860 may comprise or may be in communicationwith the transmitter. Similarly, the interface(s) include a receiverthat is configured to convert signals received (e.g., via the antenna(s)840) into digital samples for processing by the one or more processingcircuits. The transmitter and/or receiver may also include one or moreantennas 840.

Those skilled in the art will also appreciate that embodiments hereinfurther include corresponding computer programs. A computer program 880comprises instructions which, when executed on at least one processor ofthe network node 116, cause the network node 116 to carry out any of therespective processing described above. Furthermore, the processing orfunctionality of network node 116 may be considered as being performedby a single instance or device or may be divided across a plurality ofinstances of network node 116 that may be present in a given home PLMNsuch that together the device instances perform all disclosedfunctionality. In addition, network node 116 may be any known type ofdevice associated with a PLMN providing wireless communication servicesand/or network access to one or more UEs that is known to perform agiven disclosed process or function. Examples of such network nodes 116include eNBs, Mobility Management Entities (MMEs), gateways, servers,and the like. In other words, the network node 116 may be a noderesiding in a core network part or an access network part of the homePLMN.

Embodiments further include a carrier containing such a computerprogram. This carrier may comprise one of an electronic signal, opticalsignal, radio signal, or computer readable storage medium (like thememories 730 and 830 respectively). A computer program in this regardmay comprise one or more code modules or code parts corresponding to themeans or units described above.

As mentioned above in conjunction with FIG. 1, various nodes of theserving PLMN 112 may perform the steps attributed to the serving PLMN orthe network node 106. FIG. 9 illustrates an embodiment of a serving PLMNwithin that concept. The serving PLMN here comprises at least twonetwork nodes. A first network node 900 is similarly to the network node106 configured to receive the secret identifier 110 from the home PLMNafter the UE 102 has been successfully authenticated. The first networknode may then initiate a second network node 902 to perform theoperation 108 using the secret identifier. In case the serving PLMNperforms the authentication, a third network node 906 of the servingPLMN may be configured to authenticate the UE 102 and communicate withthe home PLMN, i.e. informing the home PLMN of a successfulauthentication or explicitly requesting the home PLMN to send the secretidentifier 110 to the serving PLMN/the first network node 900.

The present embodiments may, of course, be carried out in other waysthan those specifically set forth herein without departing fromessential characteristics of the invention. The present embodiments areto be considered in all respects as illustrative and not restrictive,and all changes coming within the meaning and equivalency range of theappended claims are intended to be embraced therein.

The invention claimed is:
 1. A method performed by a network node of aserving public land mobile network (PLMN) associated with a userequipment (UE), the method comprising: the network node of the servingPLMN receiving, from the UE, a public identifier or a pseudonymcorresponding to the UE, wherein the UE has a home PLMN and the servingPLMN is not the UE's home PLMN; the network node of the serving PLMNforwarding to the UE's home PLMN the public identifier or pseudonymcorresponding to the UE; the network node of the serving PLMN receivingfrom the UE's home PLMN an international mobile subscriber identity(IMSI) in response to the network node of the serving PLMN forwardingthe public identifier and or pseudonym to the UE's home PLMN, whereinthe IMSI uniquely identifies the UE and is a secret that is sharedbetween the UE and at least the UE's home PLMN; receiving authenticationinformation from the home PLMN, the authentication information allowingthe serving PLMN to perform authentication of the UE; using theauthentication information to determine, by the serving PLMN, that theUE is successfully authenticated; and performing an operation related toa lawful interception of the UE using the IMSI.
 2. The method of claim1, wherein the IMSI is received based on the UE being successfullyauthenticated by the home PLMN.
 3. The method of claim 1, whereinreceiving the ISMI comprises receiving an Extensible AuthenticationProtocol (EAP) message from the home PLMN.
 4. The method of claim 1,wherein the authentication information is formed in an Evolved PacketSystem-Authentication and Key Agreement (EPS-AKA) format and iscommunicated to the serving PLMN via an authentication vector.
 5. Themethod of claim 1, further comprising communicating an authenticationsuccess message to the home PLMN to inform the home PLMN that the UE hasbeen successfully authenticated by the serving PLMN, the authenticationsuccess message triggering the home PLMN to send the secret identifierto the serving PLMN.
 6. The method of claim 1, wherein obtaining theIMSI comprises receiving the IMSI from the home PLMN before the UE isauthenticated by the serving PLMN.
 7. The method of claim 6, whereinreceiving the ISMI from the home PLMN comprises receiving anauthentication-information-answer message from the home PLMN.
 8. Themethod of claim 1, wherein receiving the IMSI comprises receiving theIMSI from the home PLMN after the UE is authenticated by the servingPLMN.
 9. The method of claim 8, wherein receiving the secret identifierfrom the home PLMN comprises receiving an update-location-answer messagefrom the home PLMN.
 10. The method of claim 9, further comprisingverifying that the public identifier or the pseudonym and the IMSIcorrespond to the UE.
 11. The method of claim 10, wherein the verifyingcomprises: obtaining encryption information for encrypting the IMSI;generating an encrypted IMSI by encrypting the IMSI using the encryptioninformation; determining that the encrypted IMSI and the publicidentifier match based on a comparison; and verifying that the publicidentifier and the IMSI correspond to the UE based on determining thatthe encrypted IMSI and the public identifier match.
 12. The method ofclaim 11, wherein the encryption information comprises a public key ofthe home PLMN.
 13. A network node of a serving public land mobilenetwork (PLMN) associated with a user equipment (UE), the network nodecomprising: a processor; and a memory, the memory containinginstructions executable by the processor wherein the network node isconfigured to: receive, from the UE, a public identifier or a pseudonymcorresponding to the UE, wherein the UE has a home PLMN and the servingPLMN is not the UE's home PLMN; forward the public identifier orpseudonym to a home PLMN of the UE; receive from the home PLMN aninternational mobile subscriber identity (IMSI) in response to theforwarding of the public identifier or pseudonym, wherein the IMSIuniquely identifies the UE and is a secret that is shared between the UEand at least the home PLMN; receive authentication information from thehome PLMN, the authentication information allowing the serving PLMN toperform authentication of the UE; use the authentication information todetermine, by the serving PLMN, that the UE is successfullyauthenticated; and perform an operation related to a lawful interceptionof the UE using the IMSI.
 14. The network node of claim 13, wherein thepublic identifier comprises an encrypted version of the IMSI.
 15. Amethod performed by a serving public land mobile network (PLMN)associated with a user equipment (UE), the method comprising: theserving PLMN receiving, from the UE, a public identifier or a pseudonymcorresponding to the UE, wherein the UE has a home PLMN and the servingPLMN is not the UE's home PLMN; the serving PLMN forwarding to the UE'shome PLMN the received public identifier or pseudonym; the serving PLMNreceiving, from the UE's home PLMN after the UE has been successfullyauthenticated by the home PLMN or the serving PLMN, an internationalmobile subscriber identity (IMSI) that uniquely identifies the UE and isa secret previously shared between the UE and the home PLMN; the servingPLMN receiving authentication information from the home PLMN, theauthentication information allowing the serving PLMN to performauthentication of the UE; the serving PLMN using the authenticationinformation to determine, by the serving PLMN, that the UE issuccessfully authenticated; and performing a lawful interception relatedto the UE.
 16. The method according to claim 15, wherein the UE isauthenticated by the serving PLMN.
 17. The method of claim 15, whereinthe public identifier comprises an encrypted version of the IMSI.
 18. Amethod performed by a security function in a serving public land mobilenetwork (PLMN), the method comprising: the security function in theserving PLMN (S-PLMN) receiving a message transmitted by a userequipment (UE), wherein the UE has a home PLMN (H-PLMN) that isdifferent than the S-PLMN, the UE stores a subscription identifier, andthe message comprises an encrypted version of the subscriptionidentifier; the security function in the S-PLMN transmitting to anauthentication function in the UE's H-PLMN a first authenticationmessage, the first authentication message comprising the encryptedversion of the subscription identifier; the security function in theS-PLMN receiving a first authentication response message transmitted bythe authentication function in the UE's H-PLMN, wherein the firstauthentication response message comprises authentication information foruse in authenticating the UE; after the security function in the S-PLMNreceives the authentication information transmitted by the network nodeof the H-PLMN, the security function in the S-PLMN performing anoperation in support of authenticating the UE; after the securityfunction in the S-PLMN performs the operation in support ofauthenticating the UE, the security function in the S-PLMN transmittinga second authentication message to the authentication function in theUE's H-PLMN, wherein the second authentication message enables theauthentication function in the UE's H-PLMN to verify whether or not theUE is authentic; after the security function in the S-PLMN transmits thesecond authentication message to the authentication function in the UE'sH-PLMN, the security function in the S-PLMN receiving a secondauthentication response transmitted by the authentication function inthe UE's H-PLMN, wherein the second authentication response transmittedby the authentication function in the UE's H-PLMN comprises thesubscription identifier and further comprises an encryption key; afterreceiving the second authentication response, the security function inthe S-PLMN providing to a lawful intercept function in the S-PLMN thesubscription identifier; and the lawful intercept function performing anoperation related to a lawful interception of the UE using thesubscription identifier.
 19. The method of claim 18, wherein performingthe operation in support of authenticating the UE consists oftransmitting towards the UE a message comprising the authenticationinformation.